Use Nested Roles in LDAP

It is possible to nest user roles such that one role includes all of the users of another role. Doing this external to the core LDAP structure prevents recursive directory queries to find all parents of a given child role. Follow the directions below to modify the BA Server to support nested roles for LDAP and MSAD authentication types.

Stop the BA Server or service.

sh /usr/local/pentaho/server/biserver-ee/stop-pentaho.sh

Open the /pentaho/server/biserver-ee/pentaho-solutions/system/applicationContext-spring-security-ldap.xml file with a text editor.

In the populator bean definition, replace DefaultLdapAuthoritiesPopulator with NestedLdapAuthoritiesPopulator

Save the file, then edit /pentaho/server/biserver-ee/pentaho-solutions/system/applicationContext-pentaho-security-ldap.xml. This and the next step are only necessary if the roles that serve as "parents" to nested roles cannot be returned by a traditional all authorities search.

Add an extraRoles bean to the list of transformers in the ChainedTransformers bean, and set properties for each parent role (represented by example_role below).